Google Moves To Plug Android Leak

Researchers in a German University discovered that 99
percent of Android phones connecting to unsecured wireless networks were leaving
themselves opento attack.

While phones on the 2.3.4 version of Android were protected
from the potential leaks, that left 99 percent of all Android handsets susceptible to having personal data stolen. Google has moved quickly to rectify the problem and
Android handset owners won’t have to so anything as it is a server-side fix.
"We're starting to roll out a fix which addresses a potential security
flaw that could, under certain circumstances, allow a third party access to
data available in calendar and contacts. This fix requires no action from users
and will roll out globally over the next few days," Google said in a statement. The problem came to
light after three researchers at the University of Ulm discovered the
vulnerability, which is due to an improper implementation of the ClientLogin
protocol.

The vulnerability affected the login credentials for some
Google applications such as Calendar and Contacts. The authentication token
that allows people to access the service without the need to keep logging in could
be intercepted by criminals if they were sent over unsecured wireless networks.
The token can be used for up to 14 days and the researchers said it was not just
limited to Calendar and Contacts, and it was “theoretically feasible with all
Google services using the ClientLogin authentication protocol for access to its
data APIs." The problem only occurs when users are accessing unsecured
Wi-Fi networks as apps will attempt syncing automatically - though this feature can be disabled.

Google has been praised by security experts for reacting so
quickly to the problem and it should be solved within a few days and until then,
users are advised to avoid open Wi-Fi networks or else turn off automatic syncing
when connecting to Wi-Fi.